Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

New in Wordfence 6.3.11: Abandoned and Removed Plugin Alerts

On Thursday of last week, we released Wordfence 6.3.11 which included a really exciting new feature: we are now alerting you if you are running a plugin that either appears to be abandoned or has been removed from the WordPress.org plugin directory. In this post, we explain how each of these new alerts work and why they’re so important to the security of your website.

Abandoned Plugins

At Wordfence, we define a potential abandoned plugin as one that has not been updated by its developers in at least 2 years. In May, we analyzed the plugins in the WordPress.org repo and found that almost half of them hadn’t been updated in over 2 years. Over a third of them had a compatibility tag for a WordPress version dating back to 2014 or earlier.

The alert we send tells you how long it’s been since the developer updated the plugin, as well as whether we found reference to any unpatched security issues with it and whether it has been tested with the current version of WordPress.

Why Should You Care if a Plugin Hasn’t Been Updated Recently?

If a developer hasn’t updated a plugin in two or more years, there is a really good chance that the plugin author has actually abandoned the plugin altogether. An author that has abandoned a plugin is very unlikely to fix any security vulnerabilities that users have reported. No plugin is immune to becoming a security vulnerability on a website, even simple plugins with small user bases. Simply put, the older a plugin’s code, the higher the risk of security issues.

Let’s look at ways that vulnerabilities happen or are discovered:

1. Many Plugins Use Software Components That Were Written by Someone Else

One of our favorite examples is the TimThumb vulnerability that was discovered in 2011 by someone we know quite well here at Wordfence. TimThumb was an image-sizing utility that was included in lots of themes and plugins. Once the WordPress community discovered the vulnerability, all of the theme and plugin authors who had used it had to scramble to release a fix of their own for each of their plugins.

In the case of an abandoned plugin, the authors wouldn’t likely be available apply a quick fix. To this day, we continue to see attacks seeking to exploit this very old vulnerability on sites that we protect.

2. WordPress Plugins Function in a Very Dynamic Environment

WordPress.org publishes core WordPress updates constantly, and PHP, Apache, Nginx and updates to other plugins and themes are posted at least as often, too. This continually changing landscape represents a security risk over time.

A great example is the ‘add_query_arg()’ and ‘remove_query_arg()’ issue that GoDaddy/Sucuri discovered two years ago. The issue here was with a WordPress function that plugin and theme developers use to interact with WordPress core. To fix the issue, each plugin developer needed to update their code and push updates. Any plugin author who was no longer paying attention would likely miss this and leave the vulnerabilities in their code.

As of this writing, the WPVulndb website has publicly reported five WordPress plugin vulnerabilities in the last week alone.

When a security researcher discovers a vulnerability, they reach out to the developer, disclose the details and give them a fixed amount of time to release a fix. Once the author releases the fix, the researcher generally publishes their findings publicly.

However, in cases where the author does not respond, such as with an abandoned plugin, the researcher will sometimes release the details anyway, giving attackers the information they need to exploit it. The worst case scenario is when an attacker is the first to discover a vulnerability, leaving literally all of the sites running that plugin vulnerable to attack before developers get the chance to release a fix.

What Should You Do if One of Your Plugins Appears to be Abandoned?

The best option in this situation is to remove the plugin and replace it with a plugin whose author is actively maintaining the code. If a suitable replacement doesn’t exist and you are a software developer, or know someone who is, it might be possible to assess the risk and potentially decide to maintain it yourself going forward if vulnerabilities are reported.

Plugins Removed from WordPress.org

Plugins listed in the WordPress.org plugin directory need to follow a set of guidelines. The list of requirements is long, so there are a wide variety of reasons why the WordPress.org team may remove a plugin.

One common security reason is that a security researcher has discovered a vulnerability, contacted the author without getting a response, and then contacted the WordPress plugin team about the author’s unresponsiveness. The WordPress plugin team will do their best to contact the author, but if they also receive no response, they will subsequently remove the plugin from the plugin directory.

It’s important to stress that not all of the reasons for removing a plugin represent something that should lead you to stop using the plugin, but many of those reasons are worth taking into consideration when deciding whether to keep a plugin on your website.

What Should You Do if the WordPress.org Directory Removes One of Your Site’s Plugins?

Your first course of action should be to try to determine why it was removed. If you’re able to verify that the plugin was removed for a non-security reason, then it might be okay to continue to use it. It’s a judgement call on your part based on all the information you’re able to gather. If you can’t figure out why it was removed, or you confirm that it was removed due to a security vulnerability that hasn’t been fixed, we recommend that you remove the plugin from your website immediately and finding a well-maintained replacement for its functionality.

Conclusion

As we’ve written about in the past, vulnerable plugins are the most common way that attackers compromise WordPress websites. It is critical that, as a site owner, you only install (and keep) reputable plugins on your website, and that you keep them up-to-date and remove them if they are abandoned. The new alerts that we added last week should make that task much easier going forward.

Thank you! Thank you! I maintain several WordPress sites and I have a hard time keeping up with which plugins I need to keep an eye on because they aren't being maintained. When I got my first Wordfence notice about an abandoned plugin, all I did was "YES!" with fist pump in the air!

Hi Jan, good question. Generally speaking, because we can't keep track of updates to those in the same standardized ways, the scans don't flag premium plugins that aren't in the WordPress plugin repository for new versions or last-updated dates. Hope that helps!

Sometimes it's possible to replace an abandoned plug-in with "a well-maintained replacement." In fact, I found several that were well-maintained with better functionality. Since I maintain 30+ sites, I wouldn't have looked for abandoned plug-ins without your prodding. Thanks for that.

But, I was dismayed to find plug-ins removed from the Wordpress directory that had no suitable substitutes. These were helper/extender plug-ins for themes from a well-respected theme provider.

I understand that nobody wants to maintain "old" products forever. And lots of folks make money by constantly recycling websites. But just as the "community" got Microsoft to develop long life cycles, we need to pressure theme developers to be responsible for their themes and related plug-ins for more than a few years.

While Bruno makes a valid point about theme developers, the problem with knowing whether a theme has been abandoned or is currently OK on security is that there is no central repository like the wp plugin repository and would be an almost insurmountable task to identify each and every one.

eg: we purchased commercial licenses for almost 600 themes from a dev team, then about 2 years ago the dev team joined w/ another dev team and abandoned all those themes. it became our responsibility to check and maintain them for our personal and customer use.

You're quite welcome, Mary. Whether you wait until a plugin hasn't been updated in two or more years before removing it is entirely up to you. There's no definitive consensus on what constitutes an abandoned plugin - some people only give a developer a year or even six months before they are no longer comfortable having a plugin activated on their site, while others feel that our criteria of two years is too strict! It's ultimately a judgment call on each site owner's part.

Developers have a broad variety of reasons for discontinuing work on a plugin, which can range from the personal to the professional to a combination of the two. A developer discontinuing work on a plugin doesn't necessarily mean they've vanished into thin air: if you or your development team want to continue updating a plugin, for example, sometimes the plugin's original developer will work with you to transition the software to your team and will remain otherwise available via social media or their web presence. So if you're curious about the status of a particular plugin, it's worth seeing if you can reach out to the author directly - the odds are good you may get a response!

Considering plugins in the WP repository are Free, I can only assume some developers give up and abandon their plugins simply because of the lack "appreciation" (income, funds, money, feedback, gratitude, warm fuzzy feeling, etc...)

We have a small yearly budget that gets distributed via the donation option to the developers we love and can only encourage other WP users to give back to the devs of worthy plugins.
You too could have a warm fuzzy feeling :)

I received information about a plugin that's been removed from WordPress.org *and* has a security vulnerability. Thankfully, WordFence's notice included a link to the vulnerability report, and from those details, I may actually be able to address the vulnerability myself with some code changes.

What do you recommend when an owner of plugin says their old one is fine?

Wordfence said "Login Redirect" plugin by wpmudev was last updated 3 years and 1 month ago.

Should I just get wordfence to ignore?
Should wpmudev do a simple edit just so it shows as current?

I said my concerns to wpmudev, and they said:

"Hi there

Thank you for your concern. Actually the plugin is not abandoned, it's just there is no update needed so far. As the plugin does exactly what it says without any issue and still compatible with latest version of wordpress. If we find any issues, immediately we will push an update and to fix that. So the plugin is safe to use

Hope it helps! Please feel free to ask more questions if you have any.

Have a nice day!

Cheers,
Ash"

The reason I mention this on the post is it sounds like other wordfence users are getting concerned and I knee jerk reaction is happening with them removing plugins when it's likely not abandoned, but just a simple plugin which is still fine.

Ultimately whether you decide to keep a plugin that hasn't been updated in years but whose developer assures you is still free of vulnerabilities as far as they know is a case-by-case judgment call on your part. Generally speaking - and, I should add, this is in no way any kind of commentary on the WPMUDev team either way! - if it's a developer you believe you can trust implicitly to stay on top of any security concerns and at the very least be readily available to fix any issues that may arise, and your Wordfence and Gravityscan scans are consistently coming up clean and all seems well on your website, it's probably safe to leave it. At the end of the day, that's entirely up to you and how you feel about entrusting the security of your site and data to that plugin. Hope that helps!